StrixOS/build
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Re-land: releasetools: Deprecate GKI build rules

Browse Source 
(Re-land of Ie882fccd864920289e48366e99a4ebd67e784d0d)

We no longer build GKIs from the platform tree.
These build commands were neither used nor maintained anymore, so clean
them up to reduce maintenance effort.
Keep the command line options as no-op, so existing scripts that still
specifies the deprecated options don't break.

Bug: 229701033
Test: presubmit
Change-Id: I0f7d05562dbc3eed29e902d6dc9a0f2e4083aaa6
This commit is contained in:
Yi-Yo Chiang
2024-01-24 14:10:17 +08:00
parent b14bf5f6e9
commit a4d5f4380b
6 changed files with 6 additions and 197 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
tools/releasetools/Android.bp
View File

@@ -168,7 +168,6 @@ python_defaults {
"apexd_host", "apexd_host",
"brillo_update_payload", "brillo_update_payload",
"checkvintf", "checkvintf",
"generate_gki_certificate",
"lz4", "lz4",
"toybox", "toybox",
"unpack_bootimg", "unpack_bootimg",
@@ -245,7 +244,6 @@ python_library_host {
"boot_signer", "boot_signer",
"brotli", "brotli",
"bsdiff", "bsdiff",
"generate_gki_certificate",
"imgdiff", "imgdiff",
"lz4", "lz4",
"mkbootfs", "mkbootfs",
@@ -310,7 +308,6 @@ python_defaults {
"brotli", "brotli",
"bsdiff", "bsdiff",
"deapexer", "deapexer",
"generate_gki_certificate",
"imgdiff", "imgdiff",
"lz4", "lz4",
"mkbootfs", "mkbootfs",

67
tools/releasetools/common.py
View File

@@ -1565,50 +1565,6 @@ def GetAvbChainedPartitionArg(partition, info_dict, key=None):
pubkey_path=pubkey_path) pubkey_path=pubkey_path)
def _HasGkiCertificationArgs():
return ("gki_signing_key_path" in OPTIONS.info_dict and
"gki_signing_algorithm" in OPTIONS.info_dict)
def _GenerateGkiCertificate(image, image_name):
key_path = OPTIONS.info_dict.get("gki_signing_key_path")
algorithm = OPTIONS.info_dict.get("gki_signing_algorithm")
key_path = ResolveAVBSigningPathArgs(key_path)
# Checks key_path exists, before processing --gki_signing_* args.
if not os.path.exists(key_path):
raise ExternalError(
'gki_signing_key_path: "{}" not found'.format(key_path))
output_certificate = tempfile.NamedTemporaryFile()
cmd = [
"generate_gki_certificate",
"--name", image_name,
"--algorithm", algorithm,
"--key", key_path,
"--output", output_certificate.name,
image,
]
signature_args = OPTIONS.info_dict.get("gki_signing_signature_args", "")
signature_args = signature_args.strip()
if signature_args:
cmd.extend(["--additional_avb_args", signature_args])
args = OPTIONS.info_dict.get("avb_boot_add_hash_footer_args", "")
args = args.strip()
if args:
cmd.extend(["--additional_avb_args", args])
RunAndCheckOutput(cmd)
output_certificate.seek(os.SEEK_SET, 0)
data = output_certificate.read()
output_certificate.close()
return data
def BuildVBMeta(image_path, partitions, name, needed_partitions, def BuildVBMeta(image_path, partitions, name, needed_partitions,
resolve_rollback_index_location_conflict=False): resolve_rollback_index_location_conflict=False):
"""Creates a VBMeta image. """Creates a VBMeta image.
@@ -1831,29 +1787,6 @@ def _BuildBootableImage(image_name, sourcedir, fs_config_file,
RunAndCheckOutput(cmd) RunAndCheckOutput(cmd)
if _HasGkiCertificationArgs():
if not os.path.exists(img.name):
raise ValueError("Cannot find GKI boot.img")
if kernel_path is None or not os.path.exists(kernel_path):
raise ValueError("Cannot find GKI kernel.img")
# Certify GKI images.
boot_signature_bytes = b''
boot_signature_bytes += _GenerateGkiCertificate(img.name, "boot")
boot_signature_bytes += _GenerateGkiCertificate(
kernel_path, "generic_kernel")
BOOT_SIGNATURE_SIZE = 16 * 1024
if len(boot_signature_bytes) > BOOT_SIGNATURE_SIZE:
raise ValueError(
f"GKI boot_signature size must be <= {BOOT_SIGNATURE_SIZE}")
boot_signature_bytes += (
b'\0' * (BOOT_SIGNATURE_SIZE - len(boot_signature_bytes)))
assert len(boot_signature_bytes) == BOOT_SIGNATURE_SIZE
with open(img.name, 'ab') as f:
f.write(boot_signature_bytes)
# Sign the image if vboot is non-empty. # Sign the image if vboot is non-empty.
if info_dict.get("vboot"): if info_dict.get("vboot"):
path = "/" + partition_name path = "/" + partition_name

45
tools/releasetools/sign_target_files_apks.py
View File

@@ -124,14 +124,8 @@ Usage: sign_target_files_apks [flags] input_target_files output_target_files
--gki_signing_algorithm <algorithm> --gki_signing_algorithm <algorithm>
--gki_signing_key <key> --gki_signing_key <key>
Use the specified algorithm (e.g. SHA256_RSA4096) and the key to generate
'boot signature' in a v4 boot.img. Otherwise it uses the existing values
in info dict.
--gki_signing_extra_args <args> --gki_signing_extra_args <args>
Specify any additional args that are needed to generate 'boot signature' DEPRECATED Does nothing.
(e.g. --prop foo:bar). The args will be appended to the existing ones
in info dict.
--android_jar_path <path> --android_jar_path <path>
Path to the android.jar to repack the apex file. Path to the android.jar to repack the apex file.
@@ -221,9 +215,6 @@ OPTIONS.tag_changes = ("-test-keys", "-dev-keys", "+release-keys")
OPTIONS.avb_keys = {} OPTIONS.avb_keys = {}
OPTIONS.avb_algorithms = {} OPTIONS.avb_algorithms = {}
OPTIONS.avb_extra_args = {} OPTIONS.avb_extra_args = {}
OPTIONS.gki_signing_key = None
OPTIONS.gki_signing_algorithm = None
OPTIONS.gki_signing_extra_args = None
OPTIONS.android_jar_path = None OPTIONS.android_jar_path = None
OPTIONS.vendor_partitions = set() OPTIONS.vendor_partitions = set()
OPTIONS.vendor_otatools = None OPTIONS.vendor_otatools = None
@@ -595,7 +586,7 @@ def ProcessTargetFiles(input_tf_zip: zipfile.ZipFile, output_tf_zip, misc_info,
[len(os.path.basename(i.filename)) for i in input_tf_zip.infolist() [len(os.path.basename(i.filename)) for i in input_tf_zip.infolist()
if GetApkFileInfo(i.filename, compressed_extension, [])[0]]) if GetApkFileInfo(i.filename, compressed_extension, [])[0]])
except ValueError: except ValueError:
# Sets this to zero for targets without APK files, e.g., gki_arm64. # Sets this to zero for targets without APK files.
maxsize = 0 maxsize = 0
for info in input_tf_zip.infolist(): for info in input_tf_zip.infolist():
@@ -818,9 +809,6 @@ def ProcessTargetFiles(input_tf_zip: zipfile.ZipFile, output_tf_zip, misc_info,
if misc_info.get('avb_enable') == 'true': if misc_info.get('avb_enable') == 'true':
RewriteAvbProps(misc_info) RewriteAvbProps(misc_info)
# Replace the GKI signing key for boot.img, if any.
ReplaceGkiSigningKey(misc_info)
# Write back misc_info with the latest values. # Write back misc_info with the latest values.
ReplaceMiscInfoTxt(input_tf_zip, output_tf_zip, misc_info) ReplaceMiscInfoTxt(input_tf_zip, output_tf_zip, misc_info)
@@ -1102,27 +1090,6 @@ def RewriteAvbProps(misc_info):
misc_info[args_key] = result misc_info[args_key] = result
def ReplaceGkiSigningKey(misc_info):
"""Replaces the GKI signing key."""
key = OPTIONS.gki_signing_key
if not key:
return
algorithm = OPTIONS.gki_signing_algorithm
if not algorithm:
raise ValueError("Missing --gki_signing_algorithm")
print('Replacing GKI signing key with "%s" (%s)' % (key, algorithm))
misc_info["gki_signing_algorithm"] = algorithm
misc_info["gki_signing_key_path"] = key
extra_args = OPTIONS.gki_signing_extra_args
if extra_args:
print('Setting GKI signing args: "%s"' % (extra_args))
misc_info["gki_signing_signature_args"] = extra_args
def BuildKeyMap(misc_info, key_mapping_options): def BuildKeyMap(misc_info, key_mapping_options):
for s, d in key_mapping_options: for s, d in key_mapping_options:
if s is None: # -d option if s is None: # -d option
@@ -1477,12 +1444,6 @@ def main(argv):
# 'oem=--signing_helper_with_files=/tmp/avbsigner.sh'. # 'oem=--signing_helper_with_files=/tmp/avbsigner.sh'.
partition, extra_args = a.split("=", 1) partition, extra_args = a.split("=", 1)
OPTIONS.avb_extra_args[partition] = extra_args OPTIONS.avb_extra_args[partition] = extra_args
elif o == "--gki_signing_key":
OPTIONS.gki_signing_key = a
elif o == "--gki_signing_algorithm":
OPTIONS.gki_signing_algorithm = a
elif o == "--gki_signing_extra_args":
OPTIONS.gki_signing_extra_args = a
elif o == "--vendor_otatools": elif o == "--vendor_otatools":
OPTIONS.vendor_otatools = a OPTIONS.vendor_otatools = a
elif o == "--vendor_partitions": elif o == "--vendor_partitions":
@@ -1493,6 +1454,8 @@ def main(argv):
OPTIONS.override_apk_keys = a OPTIONS.override_apk_keys = a
elif o == "--override_apex_keys": elif o == "--override_apex_keys":
OPTIONS.override_apex_keys = a OPTIONS.override_apex_keys = a
elif o in ("--gki_signing_key", "--gki_signing_algorithm", "--gki_signing_extra_args"):
print(f"{o} is deprecated and does nothing")
else: else:
return False return False
return True return True

34
tools/releasetools/test_common.py
View File

@@ -1605,40 +1605,6 @@ class CommonUtilsTest(test_utils.ReleaseToolsTestCase):
self.assertEqual(3, chained_partition_args.rollback_index_location) self.assertEqual(3, chained_partition_args.rollback_index_location)
self.assertTrue(os.path.exists(chained_partition_args.pubkey_path)) self.assertTrue(os.path.exists(chained_partition_args.pubkey_path))
def test_GenerateGkiCertificate_KeyPathNotFound(self):
pubkey = os.path.join(self.testdata_dir, 'no_testkey_gki.pem')
self.assertFalse(os.path.exists(pubkey))
common.OPTIONS.info_dict = {
'gki_signing_key_path': pubkey,
'gki_signing_algorithm': 'SHA256_RSA4096',
'gki_signing_signature_args': '--prop foo:bar',
}
common.OPTIONS.search_path = None
test_file = tempfile.NamedTemporaryFile()
self.assertRaises(common.ExternalError, common._GenerateGkiCertificate,
test_file.name, 'generic_kernel')
def test_GenerateGkiCertificate_SearchKeyPathNotFound(self):
pubkey = 'no_testkey_gki.pem'
self.assertFalse(os.path.exists(pubkey))
# Tests it should raise ExternalError if no key found under
# OPTIONS.search_path.
search_path_dir = common.MakeTempDir()
search_pubkey = os.path.join(search_path_dir, pubkey)
self.assertFalse(os.path.exists(search_pubkey))
common.OPTIONS.search_path = search_path_dir
common.OPTIONS.info_dict = {
'gki_signing_key_path': pubkey,
'gki_signing_algorithm': 'SHA256_RSA4096',
'gki_signing_signature_args': '--prop foo:bar',
}
test_file = tempfile.NamedTemporaryFile()
self.assertRaises(common.ExternalError, common._GenerateGkiCertificate,
test_file.name, 'generic_kernel')
class InstallRecoveryScriptFormatTest(test_utils.ReleaseToolsTestCase): class InstallRecoveryScriptFormatTest(test_utils.ReleaseToolsTestCase):
"""Checks the format of install-recovery.sh. """Checks the format of install-recovery.sh.

52
tools/releasetools/test_sign_target_files_apks.py
View File

@@ -23,8 +23,7 @@ import common
import test_utils import test_utils
from sign_target_files_apks import ( from sign_target_files_apks import (
CheckApkAndApexKeysAvailable, EditTags, GetApkFileInfo, ReadApexKeysInfo, CheckApkAndApexKeysAvailable, EditTags, GetApkFileInfo, ReadApexKeysInfo,
ReplaceCerts, ReplaceGkiSigningKey, RewriteAvbProps, RewriteProps, ReplaceCerts, RewriteAvbProps, RewriteProps, WriteOtacerts)
WriteOtacerts)
class SignTargetFilesApksTest(test_utils.ReleaseToolsTestCase): class SignTargetFilesApksTest(test_utils.ReleaseToolsTestCase):
@@ -536,52 +535,3 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem', 'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
'build/make/target/product/security/testkey', None), 'build/make/target/product/security/testkey', None),
}, keys_info) }, keys_info)
def test_ReplaceGkiSigningKey(self):
common.OPTIONS.gki_signing_key = 'release_gki_key'
common.OPTIONS.gki_signing_algorithm = 'release_gki_algorithm'
common.OPTIONS.gki_signing_extra_args = 'release_gki_signature_extra_args'
misc_info = {
'gki_signing_key_path': 'default_gki_key',
'gki_signing_algorithm': 'default_gki_algorithm',
'gki_signing_signature_args': 'default_gki_signature_args',
}
expected_dict = {
'gki_signing_key_path': 'release_gki_key',
'gki_signing_algorithm': 'release_gki_algorithm',
'gki_signing_signature_args': 'release_gki_signature_extra_args',
}
ReplaceGkiSigningKey(misc_info)
self.assertDictEqual(expected_dict, misc_info)
def test_ReplaceGkiSigningKey_MissingSigningAlgorithm(self):
common.OPTIONS.gki_signing_key = 'release_gki_key'
common.OPTIONS.gki_signing_algorithm = None
common.OPTIONS.gki_signing_extra_args = 'release_gki_signature_extra_args'
misc_info = {
'gki_signing_key_path': 'default_gki_key',
'gki_signing_algorithm': 'default_gki_algorithm',
'gki_signing_signature_args': 'default_gki_signature_args',
}
self.assertRaises(ValueError, ReplaceGkiSigningKey, misc_info)
def test_ReplaceGkiSigningKey_MissingSigningKeyNop(self):
common.OPTIONS.gki_signing_key = None
common.OPTIONS.gki_signing_algorithm = 'release_gki_algorithm'
common.OPTIONS.gki_signing_extra_args = 'release_gki_signature_extra_args'
# No change to misc_info if common.OPTIONS.gki_signing_key is missing.
misc_info = {
'gki_signing_key_path': 'default_gki_key',
'gki_signing_algorithm': 'default_gki_algorithm',
'gki_signing_signature_args': 'default_gki_signature_args',
}
expected_dict = {
'gki_signing_key_path': 'default_gki_key',
'gki_signing_algorithm': 'default_gki_algorithm',
'gki_signing_signature_args': 'default_gki_signature_args',
}
ReplaceGkiSigningKey(misc_info)
self.assertDictEqual(expected_dict, misc_info)

2
tools/releasetools/validate_target_files.py
View File

@@ -132,7 +132,7 @@ def ValidateFileConsistency(input_zip, input_tmp, info_dict):
return return
# Verify IMAGES/system.img if applicable. # Verify IMAGES/system.img if applicable.
# Some targets, e.g., gki_arm64, gki_x86_64, etc., are system.img-less. # Some targets are system.img-less.
if 'IMAGES/system.img' in input_zip.namelist(): if 'IMAGES/system.img' in input_zip.namelist():
CheckAllFiles('system') CheckAllFiles('system')